GDPR Compliance: The Clock Is Ticking

The European Union’s (E.U.’s) General Data Protection Regulation (GDPR) standardizes privacy regulations across the E.U., and applies to any company worldwide that collects and processes the personal data of an E.U. resident. With the May 25, 2018 deadline for GDPR compliance looming large, your organization should already be well down the road to compliance. Penalties for noncompliance can reach up to 20 million euros or 4 percent of a company’s annual worldwide revenue, whichever is greater, so further inaction can be costly.

Any information that can be used to identify an individual directly or indirectly (even a business email or IP address) must be protected, and individuals have complete authority over how (and even if) their data can be used. With the deadline only months away, organizations should review their progress on this compliance journey. Here are three areas to consider during this review:

• Budget/resources. Now is the time to review any gaps in your GDPR compliance plan and determine if you need to approach your executive team or board for more budget and resources. Most organizations are finding they must transform the way they collect data, and market to and contact individuals. Companies will have to develop or modify processes used to seek permissions and preferences, as well as maintain the highest level of privacy and portability for an individual’s data. In addition, ensure you’re adequately budgeted and resourced to train and certify employees on GDPR requirements to their specific roles. My colleague, Julian Archer, has written extensively on many of the sales and marketing topics that GDPR impacts, particularly the issue of processing personal data for sales and marketing purposes.
• Vendors and partners. Under GDPR, you are still responsible for any data that is processed by a vendor or partner. Organizations that are serious about compliance and best practices are designing sales and marketing processes built upon privacy by design and default. However, the technology they are using to power such processes may not be compliant. Understand if and when your vendors will be compliant. Audit your existing systems (both cloud-based and on-premises) to understand how data is protected, and determine whether it is encrypted and pseudoanonymized at rest and in transit. This also applies to systems that store and process your employees’ personal data, as well as talent management and recruitment applications. In addition, you are responsible for any customer and prospect data that is passed on to channel partners. Ensure that the processes and systems your partners use are compliant.
• Communications. One of the GDPR requirements involves notifying the E.U. governing body, as well as any E.U. resident affected by a data breach, within 72 hours. Many vendors are claiming that encrypting and pseudoanonymizing the data in their applications will negate the need to provide data breach notifications, but this may be a risky assumption under the E.U.’s regulation. Organizations that have a cybersecurity incident response plan (CSIRP) may believe they are well equipped to meet the notification requirement. However, not all companies test their CSIRP on even an annual basis, so a review and simulation of such a plan is highly recommended – not just for internal systems, but also for a breach that affects any cloud application.

The GDPR compliance deadline is fast approaching, and SiriusDecisions is here to help. One of your top New Year’s resolutions should be to ensure that your organization is on track to meet this deadline. Now is the time to take stock of your progress and identify any gaps that will keep you from reaching compliance.